CVE-2010-4342: Linux kernel ACORN over UDP NULL Pointer Dereference

This vulnerability was discovered and disclosed by Nelson Elhage and it was reported on linux-netdev mailing list as you can read here. This is a nice bug since it affects Linux kernel at least since 2.6.12 (probably earlier releases too) and it begins at net/econet/af_econet.c as you can read here:

N. Elhage noticed that during the ‘skbuffer’ initialization using skb_recv_datagram() a member that is later being used by aun_incoming() will always be set to NULL. If we have a look at skb_recv_datagram() located at net/core/datagram.c we’ll see that is just a wrapper around __skb_recv_datagram().

This is nothing more than a loop that checks ‘sk->sk_receive_queue’ queue in order to find the requested socket buffer and return it. Those buffers are placed in this queue through a function located at net/core/sock.c which among others includes this code:

You can see that ‘snb->dev’ pointer is explicitly set to NULL during the socket’s buffer insertion to the previously discussed queue. Now if we move back to aun_data_available() we’ll see that in case of a datagram with ‘ah->code’ (standing for AUN magic protocol Byte) equal to two, aun_incoming() will be invoked. The latter routine leads to a NULL pointer dereference because of this: